My question: Is there any reason not to allow multiple clients with their own client certificate (i.e., not using any shared cert) access the same SSL endpoint in the mutual SSL scenario? (I.e., using a single endpoint; single server-side certificate for the specific domain; multiple clients accessing the endpoint via HTTPS and using mutual SSL)

Details of my scenario:

I am developing APIs in MuleSoft CloudHub; APIs will be hosted in a Virtual Private Cloud with a Dedicated Load Balancer (DLB). I want to have mutual SSL enabled for the consumers of my APIs. However, it appears that only a single client certificate can be associated with a single SSL endpoint (i.e., a server-side domain and cert with relevant CN) on the DLB.

Which means that if I have multiple business partners, and would like to have mutual SSL for all of them, I would need either multiple SSL endpoints (i.e., a domain/cert per partner), which could become a management headache, or have all partners use the same client cert (which would be stupid even if I could authenticate them at the API level by other means).
So my question is:why multiple client certs cannot be associated with the same SSL endpoint / domain in VPC/DLB configuration? This might be more of CloudHub/MuleSoft question - and I did ask this on CloudHub forum (no answers yet) - but I also would like to understand if there are generic reasons to disallow multiple client-side certs in mutual SSL scenario.

Having a single server certificate and client certificates unique for each client is actually the common use case with client certificates. If there are limitations that you cannot implement this use case in the API you use then I would these regard these as technical only limitations which have nothing to do with security.
– Steffen UllrichFeb 1 '18 at 6:03

Thank you; this is what I encountered in many situations before and that's why I was surprised by CloudHub/Mulesoft limitation. Must be indeed specific to the quirks of their implementation of the dedicated load balancer. I wanted to have more "ammunition" while opening support case with them, and so wanted to hear from security experts. Thanks!
– Sasha KFeb 1 '18 at 19:16

0

Thank you for your interest in this question.
Because it has attracted low-quality or spam answers that had to be removed, posting an answer now requires 10 reputation on this site (the association bonus does not count).